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IDA  Cyber  Insurance  -  Managing  Cyber  Risk 


Data  breaches  involving  significant  personal  information  losses  and  financial  impact  are 
becoming  increasingly  common.  Whether  the  data  breach  has  financial  implications  for 
customers  or  business  partners  or  results  in  the  loss  of  private  information,  companies 
are  being  held  liable  for  these  losses.  The  costs  can  run  into  the  hundreds  of  millions  of 
dollars  depending  on  the  type  and  size  of  the  breach.  Most  states  have  some  type  of  data 
breach  law  requiring  notification  of  affected  residents  within  a  reasonable  timeframe, 
breaches  are  being  made  public  much  sooner,  and  business  reputations  are  being  affect¬ 
ed.  As  a  result,  the  insurance  industry  is  seeing  a  sharp  increase  in  demand  for  cyber  in¬ 
surance  offerings  to  businesses. 

What  is  cyber  insurance?  Cyber  insurance  is  a  risk  transfer  product  that  corporations 
can  buy  to  mitigate  losses  due  to  information  technology  (IT)  problems.  Gartner  has  de¬ 
fined  cyber  insurance  as  “protection  against  losses  related  to  cyber  risks,  such  as  data 
theft/loss,  business  interruption  caused  by  a  computer  malfunction  or  virus,  and  fines  or 
lost  income  because  of  system  downtime,  network  intrusion  and/or  information  security 
breaches.”)  I  ]  The  cyber  insurance  market,  spurred  by  increasing  costs  due  to  loss  of  per¬ 
sonal  infonnation,  is  estimated  to  be  $2  billion  and  growing.  [2] 

Who  sells  it  and  what  does  it  cover?  Major  insurance  companies  like  Zurich,  Ameri¬ 
can  International  Group,  Inc.  (AIG),  and  Allianz  sell  cyber  insurance  products  to  busi¬ 
nesses.  In  a  recent  report,  Gartner  stated  that  at  least  20  insurers  sell  cyber  insurance.  In¬ 
surance  breaks  down  into  two  main  types:  first-party  and  third-party  coverage.  First-party 
policies  cover  losses  incurred  directly,  like  lost  income  and  IT  expenses;  third-party  poli¬ 
cies  cover  liabilities  of  others,  such  as  damage  to  others’  IT  systems  and  fines  for  loss  of 
personally  identifiable  information  (PII).[3,4]  One  Lloyd’s  of  London  insurer  has  created 
a  policy  for  insuring  data  stored  in  the  cloud. [5]  Typically,  businesses  that  install  or  ser¬ 
vice  software  or  networks  or  provide  IT  consulting  for  their  clients  use  third-party  insur¬ 
ance.  If  a  breach  occurs,  it  is  the  people  and  businesses  that  developed,  maintained,  and 
managed  the  system  that  are  primarily  responsible  for  data  loss.  However,  non-IT  busi¬ 
nesses  that  use  an  IT  system  are  covered  by  first-party  insurance.  For  example,  Sony  in¬ 
curred  substantial  first-party  losses,  including  cost  for  investigation  of  the  system,  injury 
to  reputation,  and  business  interruption  losses. 

Most  cyber  liability  insurance,  both  first-  and  third-party,  is  a  combination  of  four  com¬ 
ponents:  errors  and  omissions,  media  liability,  network  security,  and  privacy.  Errors  and 
omissions  covers  claims  related  to  performance  of  services  such  as  software  development 
or  consulting  services  associated  with  IT  systems.  Media  liability  covers  claims  related  to 
intellectual  property  or  copyright/trademark  infringement,  libel,  and  slander.  Technology 
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companies  that  maintain  online  content  include  a  media  liability  component  in  their  cov¬ 
erage.  Network  security  covers  a  failure  in  network  security,  which  can  result  in  data 
breaches,  destruction  of  data,  virus  transmission,  and  cyber  extortion.  The  privacy  com¬ 
ponent  covers  loss  of  personal  infonnation,  including  physical  records,  loss  of  a  laptop 
with  personal  infonnation  on  it,  sending  a  file  containing  customer  data  to  the  wrong 
email  address,  or  returning  leased  equipment  without  wiping  the  hard  drive. [6] 
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If  a  data  breach  occurs,  first-party  insurance  most  commonly  covers  notifying  clients  that 
their  infonnation  was  compromised  or  exposed,  credit  monitoring  services  for  customers 
affected  by  the  breach,  public  relations  campaigns  to  restore  the  reputation  of  the  busi¬ 
ness,  compensation  for  income  that  the  business  was  not  able  to  earn  while  it  recovered 
from  the  breach,  expenses  related  to  regulatory  compliance,  and  payment  to  a  cyber¬ 
extortionist  holding  data  hostage  or  threatening  an  attack.  Third-party  coverage  shields  a 
business  when  its  clients  suffer  a  breach  because  of  an  alleged  mistake  on  the  business’s 
part  and  covers  settlements  or  judgments  and  any  court  costs  that  result  from  a  data 
breach. 

Why  are  people  buying  it?  According  to  insurance  underwriters  and  brokers,  two  of  the 
main  reasons  businesses  purchase  cyber  insurance  are:  (1)  the  increasingly  ominous  sto¬ 
ries  of  major  breaches  and  (2)  new  requirements  that  mandate  cyber  coverage.  [7] 

Whereas  previously  a  customer  might  not  ever  have  known  that  his  or  her  data  had  been 
compromised,  47  states,  the  District  of  Columbia,  Guam,  Puerto  Rico,  and  the  Virgin  Is¬ 
lands  now  have  laws  requiring  private  or  government  entities  to  notify  affected  individu¬ 
als  of  security  breaches  involving  PII  in  a  timely  manner.  [8]  The  laws  identify  the  type  of 
information  that  should  be  reported  and  the  timeframe  within  which  notification  should 
occur.  There  are  also  federal  regulations  with  respect  to  data  breaches.  The  Health  Insur¬ 
ance  Portability  and  Accountability  Act  (HIPPA)  Breach  Notification  Rule  45  CFR  §§ 
164.400-414  contains  guidelines  for  notifying  consumers  when  their  private  health  in¬ 
fonnation  has  been  breached.  The  Federal  Trade  Commission  has  been  promoting  a  fed¬ 
eral  data  breach  law  to  standardize  the  rules  for  notification  and  penalties  for  data  breach¬ 
es.  As  federal  and  state  governments  impose  financial  penalties  for  the  loss  of  PII,  cyber 
insurance  is  likely  to  become  a  more  critical  risk-management  tool. 
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What  are  the  drawbacks?  One  insurance  executive  stated  that  cyber  insurance  “is  a 
difficult  risk  to  price  by  traditional  insurance  methods  as  there  currently  is  not  statistical¬ 
ly  significant  actuarial  data  available. ’’[9]  This  has  led  to  steeply  rising  prices  for  these 
insurance  products.  Insurance  lawyer  David  E.  Wood  suggests  that  cyber  insurers  are  un¬ 
derpricing  their  products  and  are  not  prepared  for  a  catastrophic  cyber  event.  [10]  Stephen 
Catlin,  CEO  of  a  Lloyd’s  of  London  insurer,  stated  that  cyber  risk  is  the  “biggest,  most 
systemic  risk”  he  has  seen  in  his  career.[ll]  Other  researchers  also  note  a  number  of 
problems  with  cyber  insurance,  including  unclear  coverage,  the  lack  of  good  actuarial 
data,  and  the  “lack  of  adequate  reinsurance”  for  cyber  insurers.  [12, 13, 14] 

Crucially  for  the  Department  of  Defense  (DoD),  many  cyber  insurance  policies  exempt 
from  coverage  the  types  of  scenarios  most  likely  to  affect  the  department.  A  cyber  insur¬ 
ance  policy  from  AIG  specifically  excludes  Acts  of  War,  including  “...military  action 
(whether  war  is  declared  or  not)...,”  and  Government  Action  “arising  out  of,  based  upon 
or  attributable  to  any  seizure,  confiscation,  nationalization,  breach  of  security,  use,  mis¬ 
use  or  destruction  of  a  Computer  System  or  Electronic  Data  by  or  on  behalf  of  any  gov¬ 
ernmental,  military,  enforcement  or  other  public  body  or  authority.... ”[15] 

The  cyber  insurance  policy  from  Allianz  similarly  excludes  “War,  Terrorism,  looting  and 
Governmental  Acts.”[16]  “War  means  war,  any  invasion,  act  of  foreign  enemy,  hostile 
operations  (whether  war  has  been  declared  or  not)....”  Additionally,  both  the  AIG  and 
Allianz  policies  exclude  losses  of  trade  secrets  and  intellectual  property.  AIG  even  ex¬ 
cludes  the  loss  of  personal  information  from  coverage. 

Even  in  the  cases  in  which  cyber  insurance  does  cover  a  loss,  it  may  not  cover  100  per¬ 
cent  of  the  damages.  Cyber  insurance  covered  only  half  of  the  costs  associated  with  the 
Home  Depot  and  Target  breaches. [2] 

What  role  does  cyber  insurance  play  in  cybersecurityl  To  understand  how  cyber 
insurance  can  improve  security  for  businesses,  it  is  important  to  understand  the  role  in¬ 
surance  plays  in  managing  risk.  Insurance  is  designed  to  cover  loss  due  to  unforeseen  cir¬ 
cumstances.  Coverage  and  premiums  are  based  on  the  probability  of  the  event  happening 
and  the  expected  financial  loss.  Thus,  insurance  allows  businesses  to  transfer  and  pool 
their  risk,  thereby  reducing  the  financial  impact  if  an  unforeseen  event  occurs. 

Insurance  has  played  a  key  role  in  the  development  of  modem  safety  codes  and  standards 
in  a  number  of  industries.  One  example  is  the  fire  suppression  sprinkler  systems  that  we 
have  today.  When  sprinklers  were  originally  developed  in  the  late  1800s,  they  were 
shown  to  be  effective  in  reducing  the  damage  caused  by  fires.  But  standards  for  pipe  size 
and  sprinkler  placement  varied  widely,  resulting  in  some  unreliable  systems  (i.e.,  small 
pipes,  less  water  flow;  too-wide  placement,  less  coverage).  In  1895,  representatives  of  the 
sprinkler  and  fire  insurance  industries  had  a  series  of  meetings  to  discuss  the  issue.  These 
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meeting  resulted  in 
standards  for 
sprinkler  installa¬ 
tion  that  were  im¬ 
plemented  by  the 
sprinkler  industry 
and  required  by 
insurance  under¬ 
writers.  [17] 

A  similar  situation 
exists  today;  every 
year,  more  and 
more  businesses 
are  experiencing 
cyber  attacks  re¬ 
sulting  in  signifi¬ 
cant  loss  of  data. 

At  the  same  time,  there  is  little  standardization  of  the  processes  for  managing  cyber  risk. 
Insurers  can  play  a  key  role  in  creating  standardized  cyber  risk-management  processes 
that  will  reduce  the  probability  of  a  successful  attack  and  bolster  a  business’s  security 
posture.  Similar  to  the  fire  protection  industry,  insurers  can  promote  information  sharing 
among  businesses  to  identify  new  threats  and  vulnerabilities  and  how  to  protect  from 
them. 

The  U.S.  Department  of  Homeland  Security  (DHS)  states  that  “A  robust  cybersecurity 
insurance  market  could  help  reduce  the  number  of  successful  cyber  attacks  by:  (1)  pro¬ 
moting  the  adoption  of  preventative  measures  in  return  for  more  coverage;  and  (2)  en¬ 
couraging  the  implementation  of  best  practices  by  basing  premiums  on  an  insured’s  level 
of  self-protection.”[18]  According  to  the  Department  of  the  Treasury,  “Cyber  insurance 
could  cause  critical  infrastructure  policyholders  to  bolster  cybersecurity  since  insurers 
have  strong  financial  incentives  to  establish  minimum-security  standards,  monitor  cyber 
threats,  and  improve  the  quality  of  data  collection.’’[19] 

Insurance  companies  face  many  challenges  in  developing  cybersecurity  insurance  poli¬ 
cies  due  to  a  lack  of  data  that  can  be  used  to  develop  actuarial  tables,  upon  which  insur¬ 
ance  coverage  and  premiums  are  based.  Insurers  writing  cyber  policy  coverage  are  inter¬ 
ested  in  the  risk-management  approach  a  business  applies  to  protect  its  networks  and  its 
assets  and  thereby  lessen  the  impact  of  an  attack.  This  includes  disaster  response  plans, 
how  employees  and  others  access  data  systems,  and  at  a  minimum,  the  antivirus  and  anti¬ 
malware  software  used  by  the  business,  the  frequency  of  updates,  and  the  performance  of 
firewalls. 


Impact  of  Cyber  Events  in  2014 
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What  role  does  the  U.S.  Government  play  in  cyber  insurance ?  The  Federal  Gov¬ 
ernment  has  a  vested  interest  in  protecting  national  security  assets,  such  as  critical  cyber 
infrastructure  and  sensitive  data.  An  evolving  cyber  insurance  market  currently  relies  on 
policies  that  can  have  significant  cost  and  limited  coverage.  In  the  face  of  these  re¬ 
strictions,  the  private  sector  has  encouraged  Congress  to  develop  legislation  or  extend 
existing  legislation  that  provides  liability  protections  for  the  providers  of  cyber  security 
solutions  or  participants  in  infonnation  sharing  programs  in  the  event  of  a  cyber  at¬ 
tack.  For  example,  the  1 13th  Congress  entertained  expanding  the  Support  Anti-Terrorism 
by  Fostering  Effective  Technologies  Act  of  2002  (the  SAFETY  Act)  to  qualified  cyber 
incidents. 

The  purpose  of  the  SAFETY  Act  was  and  is  to  incentivize  the  sellers  of  anti-terrorism 
technologies  who  might  not  bring  needed  techniques  to  market  because  of  fear  of  liability 
and  unaffordability  of  insurance  for  third-party  claims  arising  from  an  act  of  terror¬ 
ism.  Expansion  of  the  existing  SAFETY  Act  or  creation  of  additional,  similar  legislation 
for  cyber  security  technologies  could  be  a  statutory  method  of  limiting  liability,  with  the 
intent  to  allow  for  affordable  cyber  insurance  policies.  Although  the  SAFETY  Act  does 
not  preclude  providers  of  cyber  security  technologies  from  obtaining  protections,  the  ap¬ 
plication  of  the  statute  is  limited  to  acts  of  terrorism,  which  may  not  include  all  cyber 
events. 

Aside  from  legislation,  it  is  not  clear  what  the  U.S.  Government’s  role  in  cyber  insurance 
should  be.  However,  one  role  might  be  promoting  collaboration  and  cooperation  across 
private  industry  and  government  to  facilitate  information  sharing,  allowing  IT  security 
professionals  to  reduce  known  vulnerabilities  across  their  systems.  Information  sharing  is 
an  important  component  of  cyber  risk  management  and  a  requirement  for  many  cyber 
insurance  programs. 

One  method  for  public-private  collaboration  currently  in  place  is  the  information  sharing 
and  analysis  centers  (IS AC),  created  in  1998  by  presidential  directive.  The  ISACs  act  as 
neutral  parties  that  work  within  sectors  to  address  physical  and  cyber  threats,  incidents, 
and  vulnerabilities. [20]  Covering  a  wide  range  of  sectors,  including  defense,  electrical 
services,  health  care,  and  IT,  the  ISACs  provide  information  on  current  threats,  vulnera¬ 
bilities,  and  incidents  for  dissemination  to  all  IS  AC  members.  However,  the  promise  of 
the  ISACs  has  never  been  fully  realized.  American  Express  (AmEX)  Chairman  and  CEO, 
Kenneth  Chenault  recently  said  that  AmEX  “sources  over  100,000  attack  indicators  year¬ 
ly  from  various  sources,  but  only  five  percent  come  from  industry  sharing  through  their 
ISAC  and  less  than  one  percent  comes  from  the  government.’’ [21]  National  policy  has 
shifted  the  model  for  infonnation  sharing  to  one  focusing  on  standards-based  sharing  in 
certified  “information  sharing  and  analysis  organizations  (ISAOs).”  Where  the  ISACs  are 
sector-based,  the  ISAOs  are  affinity-based  and  focus  on  particular  emerging  threats  and 
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vulnerabilities.  IS  AO  membership  can 
cross  sectors,  regions,  and  other  simi¬ 
lar  interests.  [22,23] 

Another  potential  role  for  government 
would  be  fostering  the  development  of 
exposure  models  for  cyber  risk  based 
on  the  experience  of  the  Defense  In¬ 
dustrial  Base  (DIB)  -  where  it  should 
have  the  most  serial  and  complete  data 
sets.  Even  if  the  data  quality  is  high, 
however,  questions  would  remain  on 
the  broad  applicability  of  defense  sec¬ 
tor  cyber  risk  numbers,  given  the  spe¬ 
cial  (e.g.,  state  sponsorship)  nature  of 
most  of  the  purported  attackers. 

What  does  this  mean  for  DoD? 

DoD  is  not  the  intended  customer  for 
cyber  insurance,  but  many  of  the  risk- 
management  elements  required  by  in¬ 
surers  would  be  useful  in  maintaining 
cybersecurity.  DoD  already  promotes 
the  use  of  best  practices  to  limit  the 
probability  that  losses  of  sensitive  in¬ 
formation  will  occur.  It  currently  re¬ 
quires  contractors  to  have  IT  risk- 
management  plans,  which  aligns  with 
the  idea  that  a  risk-management  plan 
should  be  in  place  before  a  business 
can  be  insured.  In  addition,  DoD  re¬ 
quires  contractors  to  report  evidence 
of  a  cyber  attack  within  72  hours  of  the  event.  Several  Defense  Federal  Acquisition 
Regulation  Supplements  (DFARS)  have  been  created  over  the  past  few  years  to  address 
cybersecurity  for  IT  systems  developed  for  DoD. 

Some  within  the  DoD  have  suggested  that  it  should  require  all  defense  contractors  that 
store  and  process  sensitive  infonnation  to  obtain  cyber  insurance.  They  feel  that  the  re¬ 
quirements  in  the  DFAR  promote  checklist  compliance  and  that  companies  will  be  incen- 
tivized  to  put  in  place  and  actively  manage  cybersecurity  and  risk  management  proce¬ 
dures  in  order  to  become  and  stay  insured. 


Anthem  -  A  Case  Study 

On  January  29,  2015,  Anthem,  Inc.,  learned  of 
a  breach  to  its  IT  systems.  The  breach  resulted 
in  the  loss  of  private  information  about  current 
and  former  Anthem  members.  Upon  learning  of 
incident,  the  company  began  working  to  close 
the  vulnerabilities  and  contacted  the  FBI  to 
begin  an  investigation.  Anthem  contacted  its 
members  about  2  weeks  later. [2 5]  Investiga¬ 
tors  suspect  state-sponsored  Chinese  hackers 
are  linked  to  the  attack.  Attackers  leveraged  a 
vulnerability  in  the  encryption  of  PII  data;  data 
was  encrypted  in  transit  but  not  on  its  servers, 
which  is  where  the  attack  occurred. 

Approximately  80  million  records  were  ac¬ 
cessed  containing  names,  dates  of  birth,  Social 
Security  numbers,  health  care  ID  numbers, 
home  addresses,  email  addresses,  and  em¬ 
ployment  information,  including  income  data. 
Anthem  does  not  believe  credit  card  or  banking 
information  was  compromised,  nor  was  there 
evidence  that  medical  information  was  ob¬ 
tained.  [2  5] 

While  the  eventual  costs  are  currently  un¬ 
known,  they  will  include  the  cost  of  identity 
protection  services  for  affected  customers  and 
of  fines  and  lawsuits  (over  50  at  this  time).  It 
has  been  reported  that  Anthem  has  $10  million 
in  primary  cyber  coverage  and  has  $150  mil¬ 
lion  to  $200  million  in  cyber  coverage  from  an 
American  International  Group  (AIG),  Inc.,  unit 
and  additional  insurance  through  other  pro¬ 
viders,  although  it  is  unlikely  that  the  insurance 
will  cover  the  majority  of  the  costs. [26] 


6 


However,  major  exclusions  (such  as  acts  of  war  or  government  actions)  in  current  insur¬ 
ance  policies  severely  limit  their  usefulness  for  DoD.  These  exclusions  are  the  very 
things  from  which  DoD  is  interested  in  protecting  its  data  and  IT  resources.  Cyber  insur¬ 
ance  is  more  focused  on  protecting  data  and  systems  from  criminal  activity;  it  is  not  clear 
what  additional  cybersecurity  protection  might  be  needed  against  cyber  industrial  espio¬ 
nage  or  to  protect  our  critical  infrastructure  from  terrorist  attack.  In  addition,  federal  and 
state  data  breach  laws  already  encourage  companies  that  store  and  process  PII  data  for 
DoD  to  obtain  cyber  insurance. 

This  gap  between  insurable  losses  from  cyber  operations  by  non-state  and  non-state- 
affiliated  actors  attacking  critical  infrastructures  (including  the  DIB  entities)  and  non¬ 
insurable  losses  suffered  from  attacks  by  foreign-state-affiliated  groups  or  proxies  needs 
to  be  addressed.  Privately  provided  insurance  coverage  is  unlikely  to  provide  protection 
in  these  situations  absent  some  form  of  government  subsidy. 

A  common  suggestion  is  to  establish  a  government-sponsored  enterprise  (GSE)  or  other 
mechanism  to  back  any  major  losses  due  to  acts  of  war,  government  actions,  or  terrorist 
attacks.  It  has  been  suggested  that  these  types  of  attacks  would  be  considered  catastrophic 
and  thus  should  be  supported  by  the  government  (e.g.,  federal  disaster  relief).  But  federal 
backing  of  catastrophic  events  assumes  that  significant  cyber  attacks  would  be  infrequent, 
and  it  is  clear  that  with  the  number  of  attacks  increasing  each  year,  this  assumption  is  in¬ 
correct. 

Also,  GSE  backing  could  create  a  situation  of  moral  hazard,  in  which  insurers  and  rein¬ 
surers  deliberately  prepare  themselves  for  small  losses  (through  increased  profit-taking 
and/or  lower  premiums)  while  passing  the  bill  for  large  losses  to  the  government  via  the 
GSE.  This  could  result  in  significant  financial  impact  on  the  government.  The  top  14 
cyber  events  in  2014  had  a  total  estimated  cost  of  over  $250  million,  and  that  cost  is  ex¬ 
pected  to  be  much  greater  in  20 15. [24]  As  the  frequency  of  cyber  attacks  increases,  it  is 
likely  that  costs  for  a  GSE  could  quickly  rise. 

As  the  market  matures,  insurers  are  likely  to  set  premiums  in  a  way  that  encourages  ef¬ 
fective  risk  management.  This  could  drive  defense  contractors  to  improve  cybersecurity 
preparedness  in  ways  that  make  a  difference.  Additionally,  cyber  insurance  could  still 
cover  non-governmental  actions,  such  as  criminal  theft  of  DoD  PII.  While  cyber  insur¬ 
ance  is  no  panacea  for  DoD,  it  can  push  defense  contractors  to  improve  cybersecurity 
while  providing  limited  coverage  of  some  cyber  losses. 
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